\r
case SMM_VARIABLE_FUNCTION_SET_VARIABLE:\r
SmmVariableHeader = (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *) SmmVariableFunctionHeader->Data;\r
+ InfoSize = OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)\r
+ + SmmVariableHeader->DataSize + SmmVariableHeader->NameSize;\r
+\r
+ //\r
+ // SMRAM range check already covered before\r
+ // Data buffer should not contain SMM range\r
+ //\r
+ if (InfoSize > *CommBufferSize - SMM_VARIABLE_COMMUNICATE_HEADER_SIZE) {\r
+ DEBUG ((EFI_D_ERROR, "Data size exceed communication buffer size limit!\n"));\r
+ Status = EFI_ACCESS_DENIED;\r
+ goto EXIT;\r
+ }\r
+\r
Status = VariableServiceSetVariable (\r
SmmVariableHeader->Name,\r
&SmmVariableHeader->Guid,\r
\r
case SMM_VARIABLE_FUNCTION_SET_VARIABLE:\r
SmmVariableHeader = (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *) SmmVariableFunctionHeader->Data;\r
+ InfoSize = OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)\r
+ + SmmVariableHeader->DataSize + SmmVariableHeader->NameSize;\r
+\r
+ //\r
+ // SMRAM range check already covered before\r
+ // Data buffer should not contain SMM range\r
+ //\r
+ if (InfoSize > *CommBufferSize - SMM_VARIABLE_COMMUNICATE_HEADER_SIZE) {\r
+ DEBUG ((EFI_D_ERROR, "Data size exceed communication buffer size limit!\n"));\r
+ Status = EFI_ACCESS_DENIED;\r
+ goto EXIT;\r
+ }\r
+\r
Status = VariableServiceSetVariable (\r
SmmVariableHeader->Name,\r
&SmmVariableHeader->Guid,\r